In our Enterprise network, we have a Websense server. This server permits or denies access to various websites. I am trying to tune LEM not to generate an event unless this server receives 150 permits or 150 denies in one second. But I am stuck at which Rule I should adjust.

The filter created displays to capture events displays TCPTrafficAudit events. When I look at the Rules, I see the following. Which Rule should I adjust?

The events will be generated regardless as they are received and read from the logs, but you can use rules to determine when events might fire an email or notification. There isn't really a way to suppress events from being received or shown entirely on the LEM side, but you can use LEM to only "escalate" useful information to you when it passes your threshold.

For example, if you're getting a ton of Web Traffic but want to maybe see a different type of event when it exceeds your threshold, you can create a NEW rule that does something like:

WebTrafficAudit.EventInfo = *denied*

Threshold: 150 in 5 seconds

This would tell you if you saw more than 150 WebTrafficAudit events that contained the word "denied" within the last 5 seconds.

You might consider an advanced threshold for Same SourceMachine so you know when the same system on your network generates them, not just when suddenly a bunch of random people are getting to them.

Actions

More Like This

Retrieving data ...

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 130,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining.

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website,
you consent to our use of cookies. For more information on cookies, see our cookie policy.